Lawsuit allegations spur a review, and reassurances

Microsoft said this week it is investigating a lawsuit's allegation that the camera application on Windows Phone 7 handsets collects location data from nearby Wi-Fi and cellular networks -- even if the user refuses permission to do so.

But the company repeated its assurance that it doesn't associate a unique identifier with the location, so the data collected by the application and stored on Microsoft servers "cannot be correlated to a specific device or user. Any transmission of location data by the Windows Phone camera would not enable Microsoft to identify an individual or 'track' his or her movements."

But that statement still leaves many questions unanswered, and Microsoft has given no sign as to when, or whether, it will address them.

The allegation of location snooping is at the center of a proposed class action lawsuit filed last week in federal court in Seattle on behalf of a Michigan woman, Rebecca Cousineau, and "all others similarly situated." The legal firm filing the suit, Seattle-based Tousley Brain Stephens, hired a security researcher, Samy Kamkar, to test whether the application was collecting the data and sending it to a location database on a Microsoft server, according to CNET.

The lawsuit charges, according to the original Reuters story on Aug. 31, that Microsoft "intentionally designed camera software on the Windows Phone 7 operating system to ignore customer requests that they not be tracked." In the case of the Windows Phone camera, the location data is intended to be associated with a user's photos.

"The Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed it," Kamkar wrote in his analysis, which is part of the lawsuit. He's probably best known, according to a Wikipedia entry, for creating and releasing the first self-propagating cross-site scripting worm, dubbed the Samy worm, into MySpace, causing the website to crash. He pled guilty to a felony charge of computer hacking, and recently has been focused on researching computer location and privacy issues, most notably with regard to Google's Android mobile operating system.

According to news accounts, Kamkar's lawsuit analysis concludes: "When hitting 'cancel' to prevent your location information from being shared, the phone continues to intermittently transmit information from Wi-Fi networks and cellular towers to a host owned by Microsoft Corporation leading to the user's location. The Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed the Camera application to share location information or not."

GeekWire included via DocStoc the full text of the complaint in its story about the suit.

The suit asks the court to order Microsoft to stop gathering location data after users choose not to allow it, and seeks unspecified damages.

In its response this week, sent first to International Business Times and then GeekWire, Microsoft reiterates its position: "Because we do not store unique identifiers with any data transmitted to our location service database by the Windows Phone camera or any other application, the data captured and stored on our location database cannot be correlated to a specific device or user. Any transmission of location data by the Windows Phone camera would not enable Microsoft to identify an individual or 'track' his or her movements."

Microsoft seems to be saying that even if the camera application is indeed still collecting the data, it can't be used to pinpoint the user.

Nevertheless, the company's statement also says it is "investigating the claims raised in the complaint."

Microsoft's location practices and policies came into view last April, after it was revealed that Apple and Google were collecting and storing locally on iOS and Android handsets information about the phone's locations. The revelations, in The Wall Street Journal and elsewhere, eventually sparked a congressional hearing, where all three companies, along with the main U.S. cellular carriers, outlined their location data practices.

Microsoft said then, as reported by WinRumors, that it didn't store location data on the phone itself, and only collected it when the end user specifically granted an application permission to do so. The information is transmitted to a server hosted by Microsoft.

Essentially, he found it was possible to retrace a computer's location using its MAC address to query the Microsoft database.

Microsoft did not say when its investigation would be complete. To date, Microsoft along with Apple, Google and the wireless carriers have given only general outlines of what user and location data they collect, the reasons for doing so, and how and when the data is used.